wpa_supplicant: Allow OpenSSL cipherlist string to be configured
The new openssl_cipher configuration parameter can be used to select which TLS cipher suites are enabled for TLS-based EAP methods when OpenSSL is used as the TLS library. This parameter can be used both as a global parameter to set the default for all network blocks and as a network block parameter to override the default for each network profile. Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
parent
f8995f8f1c
commit
07e2de3193
14 changed files with 64 additions and 2 deletions
|
@ -1418,6 +1418,7 @@ struct eap_sm * eap_peer_sm_init(void *eapol_ctx,
|
||||||
tlsconf.opensc_engine_path = conf->opensc_engine_path;
|
tlsconf.opensc_engine_path = conf->opensc_engine_path;
|
||||||
tlsconf.pkcs11_engine_path = conf->pkcs11_engine_path;
|
tlsconf.pkcs11_engine_path = conf->pkcs11_engine_path;
|
||||||
tlsconf.pkcs11_module_path = conf->pkcs11_module_path;
|
tlsconf.pkcs11_module_path = conf->pkcs11_module_path;
|
||||||
|
tlsconf.openssl_ciphers = conf->openssl_ciphers;
|
||||||
#ifdef CONFIG_FIPS
|
#ifdef CONFIG_FIPS
|
||||||
tlsconf.fips_mode = 1;
|
tlsconf.fips_mode = 1;
|
||||||
#endif /* CONFIG_FIPS */
|
#endif /* CONFIG_FIPS */
|
||||||
|
|
|
@ -267,6 +267,14 @@ struct eap_config {
|
||||||
* Usually, path to opensc-pkcs11.so.
|
* Usually, path to opensc-pkcs11.so.
|
||||||
*/
|
*/
|
||||||
const char *pkcs11_module_path;
|
const char *pkcs11_module_path;
|
||||||
|
/**
|
||||||
|
* openssl_ciphers - OpenSSL cipher string
|
||||||
|
*
|
||||||
|
* This is an OpenSSL specific configuration option for configuring the
|
||||||
|
* default ciphers. If not set, "DEFAULT:!EXP:!LOW" is used as the
|
||||||
|
* default.
|
||||||
|
*/
|
||||||
|
const char *openssl_ciphers;
|
||||||
/**
|
/**
|
||||||
* wps - WPS context data
|
* wps - WPS context data
|
||||||
*
|
*
|
||||||
|
|
|
@ -686,6 +686,15 @@ struct eap_peer_config {
|
||||||
* has more than one.
|
* has more than one.
|
||||||
*/
|
*/
|
||||||
int sim_num;
|
int sim_num;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* openssl_ciphers - OpenSSL cipher string
|
||||||
|
*
|
||||||
|
* This is an OpenSSL specific configuration option for configuring the
|
||||||
|
* ciphers for this connection. If not set, the default cipher suite
|
||||||
|
* list is used.
|
||||||
|
*/
|
||||||
|
char *openssl_ciphers;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -167,6 +167,8 @@ static int eap_tls_params_from_conf(struct eap_sm *sm,
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
params->openssl_ciphers = config->openssl_ciphers;
|
||||||
|
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -2026,6 +2026,7 @@ struct eapol_sm *eapol_sm_init(struct eapol_ctx *ctx)
|
||||||
conf.opensc_engine_path = ctx->opensc_engine_path;
|
conf.opensc_engine_path = ctx->opensc_engine_path;
|
||||||
conf.pkcs11_engine_path = ctx->pkcs11_engine_path;
|
conf.pkcs11_engine_path = ctx->pkcs11_engine_path;
|
||||||
conf.pkcs11_module_path = ctx->pkcs11_module_path;
|
conf.pkcs11_module_path = ctx->pkcs11_module_path;
|
||||||
|
conf.openssl_ciphers = ctx->openssl_ciphers;
|
||||||
conf.wps = ctx->wps;
|
conf.wps = ctx->wps;
|
||||||
conf.cert_in_cb = ctx->cert_in_cb;
|
conf.cert_in_cb = ctx->cert_in_cb;
|
||||||
|
|
||||||
|
|
|
@ -209,6 +209,15 @@ struct eapol_ctx {
|
||||||
*/
|
*/
|
||||||
const char *pkcs11_module_path;
|
const char *pkcs11_module_path;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* openssl_ciphers - OpenSSL cipher string
|
||||||
|
*
|
||||||
|
* This is an OpenSSL specific configuration option for configuring the
|
||||||
|
* default ciphers. If not set, "DEFAULT:!EXP:!LOW" is used as the
|
||||||
|
* default.
|
||||||
|
*/
|
||||||
|
const char *openssl_ciphers;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* wps - WPS context data
|
* wps - WPS context data
|
||||||
*
|
*
|
||||||
|
|
|
@ -1682,6 +1682,7 @@ static const struct parse_data ssid_fields[] = {
|
||||||
{ INTe(engine2) },
|
{ INTe(engine2) },
|
||||||
{ INT(eapol_flags) },
|
{ INT(eapol_flags) },
|
||||||
{ INTe(sim_num) },
|
{ INTe(sim_num) },
|
||||||
|
{ STRe(openssl_ciphers) },
|
||||||
#endif /* IEEE8021X_EAPOL */
|
#endif /* IEEE8021X_EAPOL */
|
||||||
{ FUNC_KEY(wep_key0) },
|
{ FUNC_KEY(wep_key0) },
|
||||||
{ FUNC_KEY(wep_key1) },
|
{ FUNC_KEY(wep_key1) },
|
||||||
|
@ -1903,6 +1904,7 @@ static void eap_peer_config_free(struct eap_peer_config *eap)
|
||||||
os_free(eap->pac_file);
|
os_free(eap->pac_file);
|
||||||
bin_clear_free(eap->new_password, eap->new_password_len);
|
bin_clear_free(eap->new_password, eap->new_password_len);
|
||||||
str_clear_free(eap->external_sim_resp);
|
str_clear_free(eap->external_sim_resp);
|
||||||
|
os_free(eap->openssl_ciphers);
|
||||||
}
|
}
|
||||||
#endif /* IEEE8021X_EAPOL */
|
#endif /* IEEE8021X_EAPOL */
|
||||||
|
|
||||||
|
@ -2023,6 +2025,7 @@ void wpa_config_free(struct wpa_config *config)
|
||||||
os_free(config->opensc_engine_path);
|
os_free(config->opensc_engine_path);
|
||||||
os_free(config->pkcs11_engine_path);
|
os_free(config->pkcs11_engine_path);
|
||||||
os_free(config->pkcs11_module_path);
|
os_free(config->pkcs11_module_path);
|
||||||
|
os_free(config->openssl_ciphers);
|
||||||
os_free(config->pcsc_reader);
|
os_free(config->pcsc_reader);
|
||||||
str_clear_free(config->pcsc_pin);
|
str_clear_free(config->pcsc_pin);
|
||||||
os_free(config->driver_param);
|
os_free(config->driver_param);
|
||||||
|
@ -3823,6 +3826,7 @@ static const struct global_parse_data global_fields[] = {
|
||||||
{ STR(opensc_engine_path), 0 },
|
{ STR(opensc_engine_path), 0 },
|
||||||
{ STR(pkcs11_engine_path), 0 },
|
{ STR(pkcs11_engine_path), 0 },
|
||||||
{ STR(pkcs11_module_path), 0 },
|
{ STR(pkcs11_module_path), 0 },
|
||||||
|
{ STR(openssl_ciphers), 0 },
|
||||||
{ STR(pcsc_reader), 0 },
|
{ STR(pcsc_reader), 0 },
|
||||||
{ STR(pcsc_pin), 0 },
|
{ STR(pcsc_pin), 0 },
|
||||||
{ INT(external_sim), 0 },
|
{ INT(external_sim), 0 },
|
||||||
|
|
|
@ -516,6 +516,15 @@ struct wpa_config {
|
||||||
*/
|
*/
|
||||||
char *pkcs11_module_path;
|
char *pkcs11_module_path;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* openssl_ciphers - OpenSSL cipher string
|
||||||
|
*
|
||||||
|
* This is an OpenSSL specific configuration option for configuring the
|
||||||
|
* default ciphers. If not set, "DEFAULT:!EXP:!LOW" is used as the
|
||||||
|
* default.
|
||||||
|
*/
|
||||||
|
char *openssl_ciphers;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* pcsc_reader - PC/SC reader name prefix
|
* pcsc_reader - PC/SC reader name prefix
|
||||||
*
|
*
|
||||||
|
|
|
@ -938,6 +938,8 @@ static void wpa_config_write_global(FILE *f, struct wpa_config *config)
|
||||||
if (config->pkcs11_module_path)
|
if (config->pkcs11_module_path)
|
||||||
fprintf(f, "pkcs11_module_path=%s\n",
|
fprintf(f, "pkcs11_module_path=%s\n",
|
||||||
config->pkcs11_module_path);
|
config->pkcs11_module_path);
|
||||||
|
if (config->openssl_ciphers)
|
||||||
|
fprintf(f, "openssl_ciphers=%s\n", config->openssl_ciphers);
|
||||||
if (config->pcsc_reader)
|
if (config->pcsc_reader)
|
||||||
fprintf(f, "pcsc_reader=%s\n", config->pcsc_reader);
|
fprintf(f, "pcsc_reader=%s\n", config->pcsc_reader);
|
||||||
if (config->pcsc_pin)
|
if (config->pcsc_pin)
|
||||||
|
|
|
@ -568,6 +568,7 @@ static int test_eapol(struct eapol_test_data *e, struct wpa_supplicant *wpa_s,
|
||||||
ctx->opensc_engine_path = wpa_s->conf->opensc_engine_path;
|
ctx->opensc_engine_path = wpa_s->conf->opensc_engine_path;
|
||||||
ctx->pkcs11_engine_path = wpa_s->conf->pkcs11_engine_path;
|
ctx->pkcs11_engine_path = wpa_s->conf->pkcs11_engine_path;
|
||||||
ctx->pkcs11_module_path = wpa_s->conf->pkcs11_module_path;
|
ctx->pkcs11_module_path = wpa_s->conf->pkcs11_module_path;
|
||||||
|
ctx->openssl_ciphers = wpa_s->conf->openssl_ciphers;
|
||||||
ctx->eap_param_needed = eapol_test_eap_param_needed;
|
ctx->eap_param_needed = eapol_test_eap_param_needed;
|
||||||
ctx->cert_cb = eapol_test_cert_cb;
|
ctx->cert_cb = eapol_test_cert_cb;
|
||||||
ctx->cert_in_cb = 1;
|
ctx->cert_in_cb = 1;
|
||||||
|
|
|
@ -610,7 +610,8 @@ static char ** wpa_cli_complete_set(const char *str, int pos)
|
||||||
/* global configuration parameters */
|
/* global configuration parameters */
|
||||||
"eapol_version", "ap_scan", "disable_scan_offload",
|
"eapol_version", "ap_scan", "disable_scan_offload",
|
||||||
"fast_reauth", "opensc_engine_path", "pkcs11_engine_path",
|
"fast_reauth", "opensc_engine_path", "pkcs11_engine_path",
|
||||||
"pkcs11_module_path", "pcsc_reader", "pcsc_pin",
|
"pkcs11_module_path", "openssl_ciphers",
|
||||||
|
"pcsc_reader", "pcsc_pin",
|
||||||
"driver_param", "dot11RSNAConfigPMKLifetime",
|
"driver_param", "dot11RSNAConfigPMKLifetime",
|
||||||
"dot11RSNAConfigPMKReauthThreshold",
|
"dot11RSNAConfigPMKReauthThreshold",
|
||||||
"dot11RSNAConfigSATimeout",
|
"dot11RSNAConfigSATimeout",
|
||||||
|
|
|
@ -842,7 +842,7 @@ int wpa_supplicant_reload_configuration(struct wpa_supplicant *wpa_s)
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* TODO: should notify EAPOL SM about changes in opensc_engine_path,
|
* TODO: should notify EAPOL SM about changes in opensc_engine_path,
|
||||||
* pkcs11_engine_path, pkcs11_module_path.
|
* pkcs11_engine_path, pkcs11_module_path, openssl_ciphers.
|
||||||
*/
|
*/
|
||||||
if (wpa_key_mgmt_wpa_psk(wpa_s->key_mgmt)) {
|
if (wpa_key_mgmt_wpa_psk(wpa_s->key_mgmt)) {
|
||||||
/*
|
/*
|
||||||
|
|
|
@ -132,6 +132,16 @@ fast_reauth=1
|
||||||
# configure the path to the pkcs11 module required by the pkcs11 engine
|
# configure the path to the pkcs11 module required by the pkcs11 engine
|
||||||
#pkcs11_module_path=/usr/lib/pkcs11/opensc-pkcs11.so
|
#pkcs11_module_path=/usr/lib/pkcs11/opensc-pkcs11.so
|
||||||
|
|
||||||
|
# OpenSSL cipher string
|
||||||
|
#
|
||||||
|
# This is an OpenSSL specific configuration option for configuring the default
|
||||||
|
# ciphers. If not set, "DEFAULT:!EXP:!LOW" is used as the default.
|
||||||
|
# See https://www.openssl.org/docs/apps/ciphers.html for OpenSSL documentation
|
||||||
|
# on cipher suite configuration. This is applicable only if wpa_supplicant is
|
||||||
|
# built to use OpenSSL.
|
||||||
|
#openssl_ciphers=DEFAULT:!EXP:!LOW
|
||||||
|
|
||||||
|
|
||||||
# Dynamic EAP methods
|
# Dynamic EAP methods
|
||||||
# If EAP methods were built dynamically as shared object files, they need to be
|
# If EAP methods were built dynamically as shared object files, they need to be
|
||||||
# loaded here before being used in the network blocks. By default, EAP methods
|
# loaded here before being used in the network blocks. By default, EAP methods
|
||||||
|
@ -932,6 +942,10 @@ fast_reauth=1
|
||||||
# 1 = try to use OCSP stapling, but not require response
|
# 1 = try to use OCSP stapling, but not require response
|
||||||
# 2 = require valid OCSP stapling response
|
# 2 = require valid OCSP stapling response
|
||||||
#
|
#
|
||||||
|
# openssl_ciphers: OpenSSL specific cipher configuration
|
||||||
|
# This can be used to override the global openssl_ciphers configuration
|
||||||
|
# parameter (see above).
|
||||||
|
#
|
||||||
# EAP-FAST variables:
|
# EAP-FAST variables:
|
||||||
# pac_file: File path for the PAC entries. wpa_supplicant will need to be able
|
# pac_file: File path for the PAC entries. wpa_supplicant will need to be able
|
||||||
# to create this file and write updates to it when PAC is being
|
# to create this file and write updates to it when PAC is being
|
||||||
|
|
|
@ -881,6 +881,7 @@ int wpa_supplicant_init_eapol(struct wpa_supplicant *wpa_s)
|
||||||
ctx->opensc_engine_path = wpa_s->conf->opensc_engine_path;
|
ctx->opensc_engine_path = wpa_s->conf->opensc_engine_path;
|
||||||
ctx->pkcs11_engine_path = wpa_s->conf->pkcs11_engine_path;
|
ctx->pkcs11_engine_path = wpa_s->conf->pkcs11_engine_path;
|
||||||
ctx->pkcs11_module_path = wpa_s->conf->pkcs11_module_path;
|
ctx->pkcs11_module_path = wpa_s->conf->pkcs11_module_path;
|
||||||
|
ctx->openssl_ciphers = wpa_s->conf->openssl_ciphers;
|
||||||
ctx->wps = wpa_s->wps;
|
ctx->wps = wpa_s->wps;
|
||||||
ctx->eap_param_needed = wpa_supplicant_eap_param_needed;
|
ctx->eap_param_needed = wpa_supplicant_eap_param_needed;
|
||||||
ctx->port_cb = wpa_supplicant_port_cb;
|
ctx->port_cb = wpa_supplicant_port_cb;
|
||||||
|
|
Loading…
Reference in a new issue